Information security consistently makes news headlines due to its importance and the far-reaching effects of failures. Breaches are common place: security researcher Troy Hunt reports a total of 6.8 billion accounts as hacked, and BreachLevelIndex.com reports 14.7 billion records have been breached since 2013.
- What makes the stolen data so valuable?
- Why is security of information, particularly healthcare data of patients, important?
- Why do healthcare entities spend so much time and money to implement these technical controls and policies?
A simple response would be that laws and statutes in the U.S. require protections and privacy of certain information. This is particularly true in regards to patient data (Protected Health Information or PHI) under the Privacy Rule of HIPAA, and its subsequent laws within HITECH and then the Omnibus Final Rule of HIPAA.
- Why, then, did state and federal governments deem this information important enough to mandate laws affording protection?
The answer involves how deeply the information can identify an individual, and whether that information can be reset or recovered. When a password for an account is stolen or breached from a website like Facebook, it can be locked or reset. In fact, forcing password resets is a standard first response of a website that discovers it has suffered a breach.
Similarly, though more involved and painful for the individual, when a credit card or bank account is breached or stolen, the account numbers can be reset and funds recovered or reimbursed by the financial institution’s insurance. The affected individual, in the above cases, can be made whole again.
With a breach of PHI, the information often cannot be recovered. Worse still, this information cannot be changed or reset. A patient’s social security number cannot be changed; nor can they choose a different date of birth or place of birth or next of kin, when this information is revealed. These are core data elements to a person.
Further, these core elements are often enough for a malicious actor to create forged identities or false credit against a real person. An existing, legitimate bank account that is breached by a hacker is easier to identify and reverse than a completely new and forged account created by a hacker. A victim might only discover a forged account by reviewing his or her credit report – something individuals can only receive for free once a year. And PHI usually contains all the information needed to create these forged accounts.
Finally, consider that PHI contains information that could potentially damage the reputation of an individual if it were made public. This damage could negatively influence potential job offers, or acceptance for a bank loan, the peace of their relationships and family, or any other number of important situations.
Knowing why data security is important can help us see and treat the data for what it is: highly sensitive. And, understanding why the data is so sensitive can help us focus on why we do something, like creating separate passwords for each account, rather than simply what we do.